Ola Cabs Privacy Security Issue discovered by AppWatch

01.Feb.2015

Hello Everyone,

At Attify, we have been working on months now to come up with AppWatch , the best mobile security assessment platform to help developers, penetration testers, managers and even* CISOs* for the enterprise mobile security.

We launched an early community version of AppWatch 4 months back, and got some really great response from the developer and security community. Thanks everyone for helping us improve AppWatch and making it more relevant to your needs.

We are currently working actively to come up with the next version of AppWatch, and evolving it from a tool to a complete mobile security platform for enterprises.

This blog post will discuss one of the vulnerabilities we discovered with AppWatch in Ola Cabs (a major competitor to Uber), the most popular cab ride service in India.

The vulnerability lies in one of their APIs, revealed during the application usage. (Sorry, we are not allowed to reveal the exact technical details of the vulnerability).

So, in order to identify the vulnerability, a pentester would :

Need to install and run the application

Set up proxy on his host system

Configure proxy in the Android device

Look into each and every requests to find the vulnerability

This process typically takes 3-4 hours of work for a skilled pentester.

With AppWatch, you can find the vulnerability, as well as create a POC in less than 5 mins. That’s how powerful and easy to use AppWatch is.

The first step is to login to your AppWatch portal. Since, Google Play support is already integrated in AppWatch, you just need to search for Ola Cabs in the search box.

Once you start analysis, it will automatically create a new instance for you (we love [Dockers](https://www.docker.com/)), where it will install and run the application. You will have a screen looking something similar to the one shown below.

You can use the application normally, and AppWatch will show you the **real time application’s network traffic**. AppWatch is an **intelligent platform**, with which it automatically** identifies APIs which could be vulnerable**. As soon the app does something which AppWatch identifies to be vulnerable, it simply displays a *vulnerable* tag along with the request.

You can now click on the **request** to have it expanded to show you both the request and response with all the parameters and headers, which you can modify and replay from the same window. [*Isn’t it awesome*](https://appwatch.io)?

[![Editing live requests in AppWatch](https://blog.attify.com/content/images/2015/02/editing-live-requests.png)](https://blog.attify.com/content/images/2015/02/editing-live-requests.png)Editing live requests in AppWatch

Once you hit replay, and see that it’s really vulnerable, you can easily create a POC by clicking on the **Create POC** button in the replayed request. AppWatch automatically identifies what kind of vulnerability it is, and shows you corresponding POC creation parameters.

You can now configure the parameters, and click on** Create POC** to have AppWatch generate the complete vulnerability POC for you. You’ll see the URL of the newly created POC there itself. Depending on the vulnerability found, the POC generated will be different, and you can even customize the complete POC according to your needs.

The vulnerability reveals the complete user details of any user, how much he has travelled, his recent travel bookings, Wallet details including the credit, amount credited and debited, previous booking reference numbers and much more – all with just the user’s email id.

Below is a video demo of the vulnerability mentioned in the blog post.

Thanks for going through the blog post. If you are excited about AppWatch and want to try it out for free, as soon as it launches in March 2015, sign up at https://appwatch.io . Also, just AAMOF, we recently also found a vulnerability in one of the apps by Twitter, using AppWatch (in less than 5 mins) which landed us a bounty of $980. 🙂

Please direct all mails regarding the blog post to secure [at] attify [dot] com . If you want to share this on twitter, please mention us at @attifyme .

Also, if you’re from India, Attify team will be present at an upcoming event Nullcon in Goa from Feb 5th-7th, and in StartupGrind at Redmond City, CA, US from Feb 9th-11th. Also, if you’re from the Bay area, feel free to drop a mail in case you want to discuss about your enterprise security issues and how Attify can help you solve them.

We appreciate the responsible disclosure policy by Ola Cabs, and we made the post public only when the vulnerability was completely patched. The ultimate goal is to support the startups who are helping us everyday, like Ola, and not to harm their reputation.

It’s really good to see Indian startups like Ola focussing so much in security, and patching the reported vulnerabilities in less than 48 hours time. We love working with companies, their security team and developers and making their applications secure.

Contact us to get the security assessment of your application done or to get AppWatch for your organisation.